Privacy Compliance in Data Retrieval

ABSTRACT

Data may be retrieved from databases using various types of code, functions and programs. To insure that the code, functions and programs comply with privacy requirements and regulations, the code and programs may be audited. In one example, an activity log may be queried to identify code that was executed to retrieve and display database information. A system may then determine whether an unauthorized entity was able to retrieve and/or view the database information. If so, the code or program may be labeled as non-compliant. Alternatively or additionally, a system may parse data retrieval code to determine whether privacy protection code is included therein. If not, the code may be deemed non-compliant. Reports may be generated identifying the non-compliant data retrieval code or function and, in some arrangements, specifying compliance statistics.

BACKGROUND

While electronic data has improved ease of information access anddistribution, privacy and security concerns have come into focus.Customers, employees, organizations and other entities are all eager tomaintain adequate protection of their private information fromunauthorized and unnecessary access. In some instances, privacyrequirements are defined as a set of regulations and specifications. Inother instances, technological measures are implemented to provideinformation privacy and security.

SUMMARY

Aspects of the disclosure provide information privacy auditing toidentify non-compliant data access. The non-compliant data access maythen be reported for correction and/or suspension.

According to one or more aspects, a catalog of data access code such asviews may be maintained. To evaluate the privacy compliance of the dataaccess code, in some arrangements, the data retrieval code and/orprograms may be parsed to identify whether privacy code is includedtherein. The catalog of data retrieval and access code may be a copy ofa main catalog so that that the main catalog does not experienceadditional processing load. Additionally or alternatively, a compliancereport may be generated. For example, the report may provide compliancestatistics to aid in identifying areas requiring compliance improvement.

According to another aspect, identification of non-compliant data accessmay include determining whether data retrieved by a user (e.g., usingdatabase code) is subject to privacy requirements. If so, a system mayfurther determine whether the user is authorized to retrieve and/or viewthe data. If the user is not authorized, the system may determine thatthe database code used to retrieve the data is non-compliant and requirecorrection or deletion of the code. Other or additional repercussionsmay be used in response to determining data retrieval code isnon-compliant with privacy requirements.

According to some aspects, auditing of database retrieval code may betriggered based upon a request to migrate or implement the code to alive operating environment.

This summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. The Summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing summary of the claimed subject matter, as well as thefollowing detailed description of illustrative embodiments, is betterunderstood when read in conjunction with the accompanying drawings,which are included by way of example, and not by way of limitation withregard to the claimed subject matter.

FIG. 1 illustrates a computing environment in which one or more aspectsdescribed herein may be implemented.

FIG. 2 illustrates an example network environment through which usersmay request data from a database according to one or more aspectsdescribed herein.

FIG. 3 is a flowchart illustrating an example method for identifyingnon-compliance in data retrieval according to one or more aspectsdescribed herein.

FIGS. 4A and 4B illustrate portions of an example privacy auditingreport according to one or more aspects described herein.

FIG. 5 is a flowchart illustrating an example method for determiningprivacy compliance according to one or more aspects described herein.

FIG. 6 is a flowchart illustrating an example method for triggeringprivacy or security auditing according to one or more aspects describedherein.

DETAILED DESCRIPTION

In the following description of various illustrative embodiments,reference is made to the accompanying drawings, which form a parthereof, and in which is shown, by way of illustration, variousembodiments in which the claimed subject matter may be practiced. It isto be understood that other embodiments may be utilized and structuraland functional modifications may be made without departing from thescope of the present claimed subject matter.

Organizations and individuals regularly generate and process sensitiveinformation including customer information, privacy memoranda, securitycodes, settlement terms, negotiation information and the like. In manyinstances, such information is stored in a database to allow access andretrieval as needed and privacy requirements are defined to protect thesensitive nature of the information. In some cases, privacy requirementsmay be defined by government regulations, company rules, customerrequests, public opinion and the like. The various aspects describedherein provide for privacy and security auditing of data retrieval toinsure compliance with privacy and security regulations andrequirements.

FIG. 1 illustrates a computing environment in which one or more aspectsdescribed herein may be implemented. A computing device such as computer100 may house a variety of components for inputting, outputting, storingand processing data. For example, processor 105 may perform a variety oftasks including executing one or more applications, retrieving data froma storage device such as storage 115 and/or outputting data to a devicesuch as display 120. Processor 105 may be connected to Random AccessMemory (RAM) module 110 in which application data and/or instructionsmay be temporarily stored. RAM module 110 may be stored and accessed inany order, providing equal accessibility to the storage locations in RAMmodule 110. Computer 100 may further include Read Only Memory (ROM) 112which allows data stored thereon to persist or survive after computer100 has been turned off. ROM 112 may be used for a variety of purposesincluding for storage of computer 100′s Basic Input/Output System(BIOS). ROM 112 may further store date and time information so that theinformation persists even through shut downs and reboots. In addition,storage 115 may provide long term storage for a variety of dataincluding applications and data files. Storage 115 may include any of avariety of computer readable media such as disc drives, optical storagemediums, magnetic tape storage systems, flash memory and the like. Inone example, processor 105 may retrieve an application from storage 115and temporarily store the instructions associated with the applicationRAM module 110 while the application is executing.

Computer 100 may output data through a variety of components anddevices. As mentioned above, one such output device may be display 120.Another output device may include an audio output device such as speaker125. Each output device 120 and 125 may be associated with an outputadapter such as display adapter 122 and audio adapter 127, whichtranslates processor instructions into corresponding audio and videosignals. In addition to output systems, computer 100 may receive and/oraccept input from a variety of input devices such as keyboard 130,storage media drive 135 and/or microphone (not shown). As with outputdevices 120 and 125, each of the input devices 130 and 135 may beassociated with an adapter 140 for converting the input into computerreadable/recognizable data. In one example, voice input received throughmicrophone (not shown) may be converted into a digital format and storedin a data file. In another example, credit card input may be receivedthrough a card reader (not shown) and converted into a digital format.In one or more instances, a device such as media drive 135 may act asboth an input and output device allowing users to both write and readdata to and from the storage media (e.g., DVD-R, CD-RW, etc.).

Computer 100 may further include one or more communication componentsfor receiving and transmitting data over a network. Various types ofnetworks include cellular networks, digital broadcast networks, InternetProtocol (IP) networks and the like. Computer 100 may include adapterssuited to communicate through one or more of these networks. Inparticular, computer 100 may include network adapter 150 forcommunication with one or more other computer or computing devices overan IP network. In one example, adapter 150 may facilitate transmissionof data such as electronic mail messages and/or financial data over acompany or organization's network. In another example, adapter 150 mayfacilitate transmission or receipt of information from a worldwidenetwork such as the Internet. Adapter 150 may include one or more setsof instructions relating to one or more networking protocols. Forexample adapter 150 may include a first set of instructions forprocessing IP network packets as well as a second set of instructionsassociated with processing cellular network packets. In one or morearrangements, network adapter 150 may provide wireless network accessfor computer 100.

One of skill in the art will appreciate that computing devices such ascomputer 100 may include a variety of other components and is notlimited to the devices and systems described in FIG. 1.

FIG. 2 illustrates an example network environment in which a database ofinformation may be accessed and used for various purposes. For example,in a financial system, client devices 201 a and 201 b (e.g., computer100 of FIG. 1) may request and retrieve customer data (e.g., personalinformation, financial information, account data, etc.) from database203 by executing various pieces of computer-executable codes such asviews. Each view may include a SQL script or series of commands in oneparticular example where database 203 corresponds to a SQL database. Theview may be executable by a view generator that is configured to processview code (e.g., SQL code). Other types of database languages andstructures may be used as desired or needed. Database 203 may storeadditional or alternative data including other types of company ororganization information such as employee data, scheduling information,inventory information and the like. Database 203 may store multiple datarecords with each record having multiple attributes. For example, ifeach record represents a customer of a company, the record attributesmay include name, contact information, account number and the like.According to another aspect, database 203 or one or more of compliancevaluation system 207 and view logging system 205 may further store acatalog of views that are available for execution by users of thesystems 207 and 205. The catalog may store a list of all available(e.g., retrievable and executable) views or all views including thosethat may be suspended or otherwise unavailable.

Upon a user accessing data in database 203, the access and retrieval ofthe data may be logged by view logging system 205. For example, viewlogging system 205 may be configured to detect execution of a view thatretrieves data from database 203. The logged information may include anidentifier (e.g., a name, ID number, address, username, etc.) of theuser requesting the view, identification of the data retrieved, a timeof the retrieval/access, a database accessed, whether a portion of allof the data retrieved was masked (e.g., rendered unviewable) from therequesting user and the like. Data may be masked if privacy settings orconditions require protection of the data from view by certainindividuals, types of individuals, organizations, groups and the like.For example, to identify the individual or type of requestingindividual, the user may be required to login or otherwise identify andauthenticate themselves through client devices 201 a and/or 201 b inconjunction with requesting data from database 203. Accordingly, datathat the user has permission to view and does not have permission toview may be determined by client devices 201 a or 201 b or database 203once the user has logged in and/or been authenticated. In somearrangements, privacy might only be required for certain attributes orcertain records. Thus, while some portions of the requested data areviewable, other portions might be hidden from the requesting user's view(e.g., by replacing the data with “XXXX”, leaving the data blank or thelike). If a user is not authorized to view one or more portions of therequested data, those portions might not be requested by the clientdevice 201 a or 201 b or returned by the database 203.

In some instances, a view might not include privacy code even thoughprivacy requirements are defined for the data that the view isconfigured to retrieve. In order to identify such non-compliant views,compliance evaluation system 207 may be configured to analyze the viewsto determine whether the views comply with currently defined privacyrequirements. In one example, evaluation system 207 may parse anactivity log generated by the view logging system 205 to identify thedata (and type of data) retrieved by a user using a particular view. Theevaluation system 207 may then determine whether any privacyrequirements were violated by the information provided to the user inview of the privacy requirements. In another example, evaluation system207 may parse or otherwise analyze the executable code of the view toidentify the types of data that the view is configured to retrieve andto subsequently determine whether privacy requirements exist for thosetypes of data. If so, the evaluation system 207 may subsequentlydetermine whether privacy code exists in the view to enforce thoseprivacy requirements. Additional details of determining whether a viewis privacy-compliant are provided below.

Each of evaluation system 207, database 203 and view logging system 205may be a separate computing system connected through a network.Alternatively, two or more of evaluation system 207, view logging system205 and database 203 may be part of the same computing device or system.For example, database 203 may be stored within evaluation system 207 orview logging system 205.

FIG. 3 is a flowchart illustrating an example process by which views maybe evaluated for privacy protection compliance. In step 300, acompliance evaluation system may identify a set of views to review. Theset of views may be all views available to users or may be a subset ofall views (e.g., views used by a particular organization, views createdby one or more particular authors, views configured to retrieve datafrom one or more particular databases or tables). As noted herein, viewsor identification of views may be stored in a catalog or database. Inone example, the views may be identified from the catalog (e.g.,evaluate all views in the catalog). In another example, only certainviews may be retrieved from the catalog for evaluation purposes based ona filter or other specified criteria. According to some arrangements, acopy of the catalog may be used for view identification and evaluationpurposes. The catalog may be copied based on a predefined schedule suchas based on an amount of time (e.g., every hour, 30 minutes, 10 minutes,2 hours, 6 hours, 12 hours, 24 hours, week, two days, month, etc.), acondition being satisfied (e.g., a new view being added, a view beingchanged, any type of update to the catalog, etc.) and/or upon demand(e.g., upon initiation of a compliance evaluation). Once the views to beevaluated have been identified, the compliance evaluation system mayretrieve the code for each view in step 305. For example, for viewsoperating against SQL databases, the SQL code of each view may beretrieved. The code may be stored in the catalog or in another database.In one example, the view identification information retrieved from thecatalog may be used to retrieve the corresponding code from a codedatabase.

In step 310, the compliance evaluation system may parse the view code toidentify the data the view is configured to retrieve. For example, inSQL databases, the data may be identified using field (e.g., column,row, record, etc.) and/or table identifiers specified in the code.Subsequently, the compliance evaluation system may determine whether anyof the data is subject to privacy protection and requirements in step315. Determining whether any of the data to be retrieved is subject toprivacy requirements may include querying a database of privacyrequirements using the data as a key. Privacy requirements may be basedon whether data is retrieved (e.g., returned by a database to therequesting device) and/or whether the data is displayed. In someinstances, a privacy violation may occur where the data is displayed,while the retrieval or return of data might not amount to a violation.In other cases, the retrieval or return of data may be a violationregardless of whether the data was viewed. Various other methods ofstoring and determining privacy requirements may be used.

If any of the data is subject to privacy requirements a system maydetermine, in step 320, whether the code corresponding to each privacyprotected piece of data in the view includes privacy enforcement code.For example, the view may include statements (e.g., CASE or IFstatements for SQL code) configured to allow retrieval of the data onlyif one or more conditions are satisfied. In a particular example,retrieval of data may be conditioned on the requesting user beingauthorized to view and/or access the information. Alternatively oradditionally, the view may include code conditioning display of theprivacy protected data on one or more requirements being satisfied. Ifnone of the data is subject to privacy protection or requirements, thesystem may proceed to analyze another view, if any. If no other viewsexist, the system may proceed to generate a compliance report as shownin step 330.

If privacy protection code does not exist in the view and the data issubject to privacy requirements, the compliance evaluation system mayflag the view as non-compliant in step 325. Additionally, the date onwhich non-compliance was detected may also be recorded. In somearrangements, the compliance evaluation system may also suspendavailability and accessibility of the view, notify one or more entitiesof the non-compliance and/or require correction by a certain deadline.The process of 305-325 may be repeated for each identified view. Thecompliance evaluation system may further generate a compliance reportidentifying all views that were non-compliant in step 330. For example,the report may provide statistical data specifying a number orpercentage of non-compliant views overall, non-compliant views perdepartment or organization, execution of non-compliant views and thelike. The report may also be generated specifically for a requestinguser or organization and may differ depending on the requesting entity.For example, if a user from department 1 requests the report, onlystatistics for views generated or executed by department 1 may bereported. Alternatively, the system may generate the same report for allrequesting viewers.

FIGS. 4A and 4B illustrate example portions of a privacy audit reportthat may be generated as a result of the process described in FIG. 3. InFIG. 4A, for example, the report may include identification informationsuch as a report number, a report date and identification of an entitythat generated or requested generation of the report. The report numbermay correspond to a unique identifier associated with each view that wasaudited during the compliance evaluation process while the report datemay indicate when the audit or evaluation of that view was performed. Anenvironment field may be populated with the name or identifier of anoperating environment or system in which the view was evaluated orexecuted. For example, some organizations may provide a testingenvironment in which new code, software, systems and the like are testedprior to deployment into a public operating environment or system usedin everyday operations. The various environments may be structured suchthat execution in one environment might not affect operations andfunctionality in another environment. Accordingly, the report mayspecify the particular environment in which the view was evaluated.

The report may further identify a database that the view is configuredto retrieve data from and a name of the view as further illustrated inFIG. 4A. An organization may have multiple databases storing differenttypes or categories of data. For example, each department in a financialinstitution may have its own database. For each view, the report mayfurther indicate whether the view includes privacy protection andwhether the view is privacy compliant. In particular, a view may includeprivacy code; however, if the privacy code is not sufficient based onprivacy requirements, the view may be non-compliant. The portion of thereport shown in FIG. 4A further includes an indication of whether theview corresponds to a base view or an X view, where base views aregenerally exempt from privacy controls and X views are views with atleast one record attribute (e.g., columns in a table) removed orotherwise hidden from view. The report may further indicate a date ofcreation of the view.

A second portion of the report, as illustrated in FIG. 4B, is configuredto specify a number of non-privacy views and a number of privacyprotected columns. For example, the report may indicate the number ofrecord attributes (e.g., columns in a table) retrieved by thecorresponding view that are subject to privacy protection. This mayprovide a reviewer with some insight into the potential severity of alack of privacy enforcement for a particular view. Additionally, thenumber of non-privacy views may indicate whether a database of views isparticularly problematic given a number of views that do not haveprivacy enforcement but that should. Additionally, the portion of thereport may also identify the privacy code version and an author of thecode. The simple view on table field may identify whether the viewcorresponds to a complete view of a table without any restrictions orfiltering. In some arrangements, the report may further indicate anumber of executions of the view to provide a sense of how often orpopular the view is. If a non-compliant view is used often, the severityof the non-compliance may be higher. Similarly, if a non-compliant viewis used less often, the severity of the non-compliance may be lower.

FIG. 5 is a flowchart illustrating another example process forevaluating privacy compliance of data access code such as views. In step500, for example, a system such as evaluation system 207 (FIG. 2) mayretrieve a copy of a database view activity log. Retrieval of the copymay include causing a copy of the view activity log to be generatedon-demand and/or obtaining a pre-generated copy of the log. Copies ofthe view activity log may be generated based on a specified schedulesuch as daily at a predefined time, once every specified time period(e.g., 6 hours, 12 hours, 30 minutes, 2 hours, etc.), once everyspecified number of view requests and the like. In some arrangements,the original activity log (e.g., a non-copied version) may be usedinstead.

In step 505, the system may determine and identify, based on theretrieved activity log or copy, instances of views being executed byusers. For example, the system may parse the activity log for key wordssignifying the execution of a view. Subsequently, for each identifiedexecution of a view, the system may determine the data retrieved fromthe database in step 510. Again, the system may make such adetermination based on the activity log since, as noted, the activitylog may specify the data and types of data that were retrieved. Once thesystem has identified the data retrieved, the system may, in step 515,determine whether any of the retrieved data is subject to privacyprotection requirements. For example, the system may compare the dataretrieved to a list of records, record attributes and the like thatrequire privacy protection. In one arrangement, records may correspondto each row in a table while each record attribute corresponds to thetable columns. Accordingly, the system may determine if any of theretrieved/returned data includes protected records or protected recordattribute data. In one example, the list of records and recordattributes that are privacy protected may be determined by identifyingflagged records and attributes in the database or table stored in thedatabase (e.g., database 203 of FIG. 2). The list of privacy protectedrecords and attributes may thus be generated on-demand, if desired.Alternatively, the list of privacy protected records may bepre-generated and stored with the specific table or database.

If none of the data retrieved for the view is privacy protected, thesystem may return to step 510 for the next identified instance of viewexecution. That is, the executed view might not be labeled or identifiedas a non-compliant view. If, however, any of the data retrieved for theview is privacy protected, the system may determine in step 520 whetherthe data was returned and displayed to the requesting user. In someinstances, data may be returned but might not be displayed to therequesting user. Alternatively, the data may be hidden (e.g., blackedout or replaced with ambiguous characters such as “XXXXX”) upon display.In other instances, if data is returned to the requesting device anduser, the system may assume that the data was displayed to therequesting user. If the system determines that the data was not returnedand/or displayed to the requesting user, the system may similarly returnto step 510 for the next identified instance of view execution and theview might not be labeled/identified as a non-compliant view.

However, if the data was returned and displayed to the requesting user(e.g., without masking), the system may determine whether the user wasauthorized to view the data in step 525. In one example, the system maycompare the user's authorization level with an authorization levelrequired for viewing each of the privacy-protected records or recordattributes. In a particular example, each user may be associated with alist of data that he or she is authorized to view. Accordingly, thislist may be compared to the data that was returned to make the abovedetermination of step 525. In another particular example, the user maybe associated with a particular authorization level (e.g., on a scale oflow-high, 1-10, etc.) and privacy-protection may be identified with acorresponding authorization level. Other attributes may also bedeterminative of whether a user is authorized to view the data. Forexample, data may be privacy-protected by organization. That is, oneorganization (e.g., a department within a company) may be authorized toview consumer phone numbers while another organization (e.g., anotherdepartment within the same company) might not have such authorization.Accordingly, privacy settings may be defined by organization. A user'sassociated organizations may then be compared to authorizedorganizations for privacy compliance.

If the system determines that the user is authorized to view theretrieved and displayed data, the system may return to step 510 for thenext identified instance of view execution and the view might not belabeled/identified as a non-compliant view. However, if the user was notauthorized to view the retrieved data, the system may flag the executedview responsible for retrieving and displaying the data as non-compliantin step 530. In one example, a flag indicator may be stored as metadatain association with the view in a database of views. In another example,a flag may take the form of comments added into the executable code ofthe view. Various other methods for flagging the view may be used.

Alternatively or additionally, the system may suspend availability ofand/or accessibility to the non-compliant view in step 535. Thus, a usermight not be able to access, identify or execute the view uponsuspension. In one particular example, the system may move the view to aholding database or storage area that is non-accessible to general users(e.g., users other than administrators or personnel responsible foraddressing non-compliance). The system may further generate and transmita notification of the non-compliance in step 540 to one or more entitiessuch as an individual or department responsible for creating the view,personnel responsible to resolving non-compliance issues and the like.The notification may, in some instances, include a requirement that theview be fixed prior to re-inserting the view back into normal operations(e.g., accessible and executable). Accordingly, the system may set, instep 545, a deadline for fixing the view. The deadline may be enforcedby deleting the view if the deadline is not met. Alternatively, if thedeadline is not met, the system may escalate the problem to anotherentity higher in a predefined resolution hierarchy. Other responses andactions may be used for breach of the deadline as desired or necessary.In some examples, once the view is fixed, the date of remediation may berecorded in a database.

In step 550, the system may further generate a compliance reportidentifying non-compliant views and providing various compliancestatistics upon evaluating all of the instances in the activity log. Thereport may include information similar to that described above withrespect to step 330 of FIG. 3.

In some arrangements, the return of privacy protected data may beconsidered a violation of privacy requirements. Accordingly, compliancemay also be evaluated based on whether privacy protected data wasreturned, even if the data was not displayed. For example, step 520 maycorrespond to determining whether the data was returned to the user (orrequesting device), rather than returned and displayed.

In one or more configurations, compliance auditing of a view may beautomatically triggered upon receiving a request to implement the viewin a live operating environment (e.g., in contrast to testing ordevelopment environments). FIG. 6 illustrates an example process wherebyviews are automatically processed upon receiving of such requests. Instep 600, a view migration or implementation system may receive arequest to migrate or install a view in a live operating environment. Insome instances, the request may correspond to migrating or installing aview from a testing or development environment into a live platform thatis used in ordinary day-to-day operations. In response to the request,the system may determine, in step 605, whether the view is configured toretrieve privacy protected data. If not, the system may authorize orapprove of the requested implement and/or migrate the view into the liveenvironment in step 625. If, on the other hand, the view is configuredto retrieve privacy protected data, the system may execute privacycompliance auditing of the view in step 610.

Upon completion of the audit, the system may subsequently determinewhether the view is privacy compliant in step 615. If so, the system mayauthorize implementation and/or migration as in step 625. If, however,the view is not privacy compliant, the request may be denied in step620. Additionally or alternatively, a notification of the denial may besent to a requesting user with a reason for the rejection.

In some arrangements, the catalog or inventory of views may be initiallycategorized according to those views that require privacy protection andthose views that do not require privacy protection. Accordingly, onlythose views that require privacy protection may be evaluated for privacycompliance. In some instances, a view may require privacy protection,but may have a waiver. As such, those views may be provided with a flagor other indicator to signify the waiver.

The above processes, systems, devices and computer readable media may beused for evaluating privacy protections in a variety of arenas. Forexample, financial records for customers may be sensitive. Accordingly,a financial institution may wish to evaluate database views to insureappropriate customer protections. In another example, internal memorandaand the like may be subject to secrecy and thus require protection. Assuch, code configured to access data from a common database may beevaluated to determine compliance with privacy requirements for thevarious types of data stored therein.

The methods and features recited herein may further be implementedthrough any number of computer readable media that are able to storecomputer readable instructions. Examples of computer readable media thatmay be used include RAM, ROM, EEPROM, flash memory or other memorytechnology, CD-ROM, DVD, or other optical disk storage, magneticcassettes, magnetic tape, magnetic storage and the like. The computerreadable instructions may be executed by one or more processors (e.g.,multi-core processor or multi-processor systems) to cause an apparatussuch as a computing device to perform various tasks, functions and thelike.

While illustrative systems and methods as described herein embodyingvarious aspects are shown, it will be understood by those skilled in theart that the invention is not limited to these embodiments.Modifications may be made by those skilled in the art, particularly inlight of the foregoing teachings. For example, each of the elements ofthe aforementioned embodiments may be utilized alone or in combinationor subcombination with elements of the other embodiments. It will alsobe appreciated and understood that modifications may be made withoutdeparting from the true spirit and scope of the present invention. Thedescription is thus to be regarded as illustrative instead ofrestrictive on the present invention.

1. A method comprising: evaluating, by a computing system having atleast one processor, a database storing a plurality of data records toidentify one or more data records or record attributes requiring privacyprotection; determining that a view of the database is configured toretrieve the identified one or more data records or record attributesrequiring privacy protection, wherein the view includes executable codefor retrieving database information; determining whether the viewincludes one or more privacy settings to enforce the required privacyprotection; and in response to determining that the view does notinclude one or more privacy settings for enforcing the required privacyprotection, registering the view in a privacy compliance log.
 2. Themethod of claim 1, wherein determining whether the view includes one ormore privacy settings to enforce the required privacy protectionincludes: determining whether the executable code is configured to, uponexecution, evaluate whether an executing user is authorized to view theone or more data records or record attributes.
 3. The method of claim 1,wherein determining whether the view includes one or more privacysettings to enforce the required privacy protection includes:determining, based on an activity log, that the view was executed by auser; determining that the view included the identified one or more datarecords or record attributes requiring privacy protection; anddetermining that the user is not authorized to view the identified oneor more data records or record attributes requiring privacy protection.4. The method of claim 3, wherein determining, based on the activitylog, that the view was executed by the user includes examining a copy ofthe activity log.
 5. The method of claim 1, further comprisinggenerating a report specifying a number of views of a plurality of viewsthat are required to have privacy settings, but do not have privacysettings.
 6. The method of claim 1, further comprising: in response todetermining that the view does not include one or more privacy settingsfor enforcing the required privacy protection, suspending an ability forusers to use the view.
 7. The method of claim 1, further comprising, inresponse to determining that the view does not include one or moreprivacy settings for enforcing the required privacy protection:generating a notification that the view does not include the one or moreprivacy settings; and scheduling a deadline for correcting the view toinclude the one or more privacy settings.
 8. An apparatus comprising: atleast one processor; and memory storing computer readable instructionsthat, when executed, cause the apparatus to: evaluate a database storinga plurality of data records to identify one or more data records orrecord attributes requiring privacy protection; determine that a view ofthe database is configured to retrieve the identified one or more datarecords or record attributes requiring privacy protection, wherein theview includes executable code for retrieving database information;determine whether the view includes one or more privacy settings toenforce the required privacy protection; and in response to determiningthat the view does not include one or more privacy settings forenforcing the required privacy protection, register the view in aprivacy compliance log.
 9. The apparatus of claim 8, wherein determiningwhether the view includes one or more privacy settings to enforce therequired privacy protection includes: determining whether the executablecode is configured to, upon execution, evaluate whether an executinguser is authorized to view the one or more data records or recordattributes.
 10. The apparatus of claim 8, wherein determining whetherthe view includes one or more privacy settings to enforce the requiredprivacy protection includes: determining, based on an activity log, thatthe view was executed by a user; determining that the view included theidentified one or more data records or record attributes requiringprivacy protection; and determining that the user is not authorized toview the identified one or more data records or record attributesrequiring privacy protection.
 11. The apparatus of claim 8, wherein thememory further stores instructions for: in response to determining thatthe view does not include one or more privacy settings for enforcing therequired privacy protection, suspending an ability for users to use theview.
 12. The apparatus of claim 8, wherein the memory further storesinstructions for, in response to determining that the view does notinclude one or more privacy settings for enforcing the required privacyprotection: generating a notification that the view does not include theone or more privacy settings; and scheduling a deadline for correctingthe view to include the one or more privacy settings.
 13. The apparatusof claim 8, the memory further storing instructions for generating areport specifying a number of views of a plurality of views that arerequired to have privacy settings, but do not have privacy settings. 14.One or more non-transitory computer readable media storing computerreadable instructions that, when executed, cause an apparatus to:evaluate a database storing a plurality of data records to identify oneor more data records or record attributes requiring privacy protection;determine that a view of the database is configured to retrieve theidentified one or more data records or record attributes requiringprivacy protection, wherein the view includes executable code forretrieving database information; determine whether the view includes oneor more privacy settings to enforce the required privacy protection; andin response to determining that the view does not include one or moreprivacy settings for enforcing the required privacy protection, registerthe view in a privacy compliance log.
 15. The one or more computerreadable media of claim 14, wherein determining whether the viewincludes one or more privacy settings to enforce the required privacyprotection includes: determining whether the executable code isconfigured to, upon execution, evaluate whether an executing user isauthorized to view the one or more data records or record attributes.16. The one or more computer readable media of claim 14, whereindetermining whether the view includes one or more privacy settings toenforce the required privacy protection includes: determining, based onan activity log, that the view was executed by a user; determining thatthe view included the identified one or more data records or recordattributes requiring privacy protection; and determining that the useris not authorized to view the identified one or more data records orrecord attributes requiring privacy protection.
 17. The one or morecomputer readable media of claim 14, further comprising instructionsfor: in response to determining that the view does not include one ormore privacy settings for enforcing the required privacy protection,suspending an ability for users to use the view.
 18. The one or morecomputer readable media of claim 14, further comprising instructionsfor, in response to determining that the view does not include one ormore privacy settings for enforcing the required privacy protection:generating a notification that the view does not include the one or moreprivacy settings; and scheduling a deadline for correcting the view toinclude the one or more privacy settings.
 19. The one or more computerreadable media of claim 14, further comprising instructions forgenerating a report specifying a number of views of a plurality of viewsthat are required to have privacy settings, but do not have privacysettings.
 20. The one or more computer readable media of claim 19,wherein the privacy settings include computer executable codeconditioning at least one of retrieval and display of privacy protecteddata on one or more requirements.